How to Fix SonicWall VPN MFA Bypass Vulnerability (CVE-2024-12802)

Threat actors are actively exploiting CVE-2024-12802, a critical authentication bypass flaw in SonicWall SSL-VPN appliances. The vulnerability lets attackers with valid credentials skip multi-factor authentication entirely and gain direct access to internal networks.

SonicWall VPN MFA Bypass Vulnerability (CVE-2024-12802)
SonicWall VPN MFA Bypass Vulnerability (CVE-2024-12802)

If your organization runs SonicWall Gen6 devices, installing the firmware update alone does not protect you. You must also manually reconfigure the LDAP server settings after patching, or the device stays vulnerable despite running updated firmware.

Who is affected: SonicWall Gen6, Gen7, Gen8, and SMA100 appliances integrated with Microsoft Active Directory using LDAP authentication.

What Is CVE-2024-12802

CVE-2024-12802 exists because SonicWall SSL-VPN handles UPN (User Principal Name) and SAM (Security Account Manager) account names separately when integrated with Microsoft Active Directory. Since MFA can be configured independently for each login method, an attacker authenticates through the alternative account name format that has no MFA enforcement applied, bypassing the protection entirely.

CISA assigned a CVSS score of 9.1 (Critical) to this vulnerability, reflecting network-level exploitation with no privileges or user interaction required.

The weakness falls under CWE-305: Authentication Bypass by Primary Weakness.

Affected SonicWall Devices

PlatformVulnerable Versions
Gen6 NSv (NSv10 to NSv1600)6.5.4.4-44v-21-2457 and older
Gen6 Firewalls (SOHOW, TZ 300 to TZ 600, NSA 2650 to NSA 6650, SM 9200 to SM 9650, SOHO 250, TZ 350)6.5.4.15-117n and older
Gen7 Firewalls (TZ270 to TZ670, NSa 2700 to NSa 6700, NSsp 10700 to NSsp 15700) and Gen7 NSv7.0.1-5161, 7.1.1-7058, 7.1.2-7019 and older
TZ808.0.0-8035
SMA10010.2.1.13-72sv and older

End-of-life notice: Gen6 SSL-VPN appliances reached end-of-life on April 16, 2025. They no longer receive security updates. Migrating to an actively supported Gen7 or Gen8 device is strongly recommended.

How Attackers Exploit CVE-2024-12802

Cybersecurity firm ReliaQuest investigated multiple intrusions between February and March 2025 and assessed with medium confidence that these are the first confirmed in-the-wild exploitations of CVE-2024-12802, spanning multiple sectors and geographies.

The attack sequence was fast and deliberate:

  • The attacker authenticated through the MFA bypass and accessed the internal network
  • In one incident, the threat actor reached a domain-joined file server in under 30 minutes
  • The attacker established a remote connection over RDP using a shared local administrator password
  • They attempted to deploy a Cobalt Strike beacon for command-and-control communication
  • They also tried to load a vulnerable driver to disable endpoint protection via the Bring Your Own Vulnerable Driver (BYOVD) technique
  • The installed EDR solution blocked both the beacon and the driver in the observed incidents

A critical detail defenders need to know: the rogue login attempts appeared as normal MFA flows in logs. Security teams reviewing authentication logs saw what looked like successful MFA events, even though MFA had been bypassed. Many organizations believed their MFA was working when it was not.

Based on the pattern of deliberately logging out and returning days later using different accounts, ReliaQuest believes the threat actor operates as an initial access broker, selling network entry to ransomware groups.

Using a VPN does not make you invisible online, and this attack demonstrates exactly why. Encrypting traffic provides no defense when the authentication layer itself contains a bypass.

How to Fix CVE-2024-12802 on Gen6 Devices

Gen6 devices running firmware version 6.5.5.1-6n require manual LDAP reconfiguration after updating. Devices running 6.5.5.2-28n and higher do not require these manual steps.

Follow these steps in exact order:

Step 1: Delete the Existing LDAP Configuration

Go to Device > Users > Settings > Authentication > Configure LDAP.

Delete the LDAP server configuration that uses userPrincipalName in the Qualified login name field.

Step 2: Remove Locally Cached LDAP Users

Go to Device > Local Users & Groups > Local Users.

Delete all locally listed LDAP users. Leaving cached users in place allows stale vulnerable credentials to persist.

Step 3: Remove the SSL VPN User Domain

Go to Network > SSL VPN > Server Settings > SSL VPN Server Settings > User Domain.

Remove the configured User Domain. The setting reverts to LocalDomain automatically.

Important: After completing remediation, the User Domain in SSL VPN Server Settings must remain at the default LocalDomain. Only usernames matching the SAM Account Name format may be used to log in.

Step 4: Reboot the Firewall

Reboot the device to apply the configuration changes cleanly.

Step 5: Recreate the LDAP Configuration

Return to Device > Users > Settings > Authentication > Configure LDAP.

Create a new LDAP server configuration without userPrincipalName in the Qualified login name field. The latest firmware version removes userPrincipalName as a default option.

Step 6: Create a Fresh Backup

Create a backup immediately after completing the remediation steps. Restoring an older backup will reintroduce the vulnerable LDAP configuration.

SonicWall has published an automation script for SNWLID-2025-0001 that handles these steps via SonicOS API or SSH. It is available through the SonicWall SonicOS Automation page.

Fixed Firmware Versions

PlatformFixed Version
Gen6 NSv6.5.4.4-44v-21-2472 and higher
Gen6 Firewalls6.5.5.1-6n and higher (manual LDAP steps required)
Gen7 Firewalls / Gen7 NSv7.0.1-5169 and higher, 7.2.0-7015 and higher
Gen8 Firewalls (TZ80, NSa 2800)8.0.1-8017 and higher
SMA10010.2.1.14-75sv and higher

For Gen7 and Gen8 devices, updating to the fixed firmware version is sufficient. No additional LDAP reconfiguration is required. SonicWall incorporated the remediation steps directly into versions 7.2.0-7015 and 8.0.1-8017.

How to Detect Active Exploitation

ReliaQuest identified several strong indicators of compromise across all investigated incidents:

sess="CLI" in VPN authentication logs This value appears in log entries when scripted or automated VPN authentication runs. Legitimate user logins do not generate this signal. Treat any occurrence as a high-priority alert.

Event IDs 238 and 1080 Monitor SonicWall authentication logs specifically for these event identifiers. They appeared consistently across the intrusions ReliaQuest analyzed.

VPN logins from VPS or anonymizing infrastructure Logins originating from hosting providers, data centers, or known VPN exit nodes warrant immediate investigation. The threat actors in these incidents used VPS infrastructure to mask their origin.

Normal-looking MFA log entries despite bypass Because the bypass exploits a legitimate authentication path, log entries do not flag the authentication as suspicious. Do not treat a clean MFA log as confirmation that MFA worked.

Organizations running SonicWall devices alongside Microsoft Active Directory should also review their broader identity security posture. Credential-based attacks frequently span both network appliances and cloud entry points. Reviewing how to secure your Microsoft 365 account against data theft attacks is a strong complementary step.

If your environment uses Azure Active Directory with LDAP integration, the authentication flow weaknesses described in detecting and stopping Azure SSPR abuse attacks are directly relevant. Both CVE-2024-12802 and SSPR abuse exploit alternative authentication paths that bypass MFA controls, not software bugs requiring code execution.

For teams also troubleshooting other VPN connectivity problems, Meraki VPN connection issues on Windows 11 and Azure VPN P2S connection errors cover authentication and access failures on other common enterprise VPN platforms.

Related Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply